Complete the following tasks to prepare for the upgrade to NetWitness Platform XDR 12.1.1.0.
Task 1 (Optional). Remove Legacy Package Repositories
Perform this task to free up space by removing unused repositories from previous releases.
-
Determine the version of the oldest NetWitness Platform host in your environment by doing one of the following:
-
Review the host list in the Admin user interface.
-
Run the following command on the NW Server:
upgrade-cli-client --list
-
- You can safely remove all legacy package repository folders located at /var/netwitness/common/repo/<version> on the NW Server for all versions prior the baseline major release version of the oldest active host in the environment.
- If the oldest host version is 11.6.x.x (for example, 11.6.1.0), you can safely remove 11.0.x.x, 11.1.x.x, 11.2.x.x, 11.3.x.x, and 11.4.x.x, and 11.5.x.x repository folders. However, do not remove repository versions greater than or equal to 11.7.0.0.
-
If the oldest host version is 11.7.x.x, you can safely remove 11.0.x.x, 11.1.x.x, 11.2.x.x, 11.3.x.x, 11.4.x.x, 11.5.x.x, and 11.6.x.x repository folders. However, do not remove repository versions greater than or equal to 11.7.0.0.
Task 2. Backup and Remove the Rotated RabbitMQ Logs
Before upgrading from 11.6.x or 11.7.x to 12.1.1.0, you must remove the old RabbitMQ logs and free up the space in /var/log mount disk. Follow the below procedure to free up the space in /var/log mount disk.
-
Backup the rotated RabbitMQ logs into var/netwitness directory. Do the following.
mkdir /var/netwitness/rabbitmq_logsbkp
scp -r /var/log/rabbitmq/ /var/netwitness/rabbitmq_logsbkp
-
Remove the rotated RabbitMQ logs from /var/log/rabbitmq pre-upgrade. Do the following.
cd /var/log/rabbitmq
rm -f rabbit\@<sa-uuid>.log.*
rm -f rabbit\@<sa-uuid>_upgrade.log.*
rm -f *.gz
rm -f rabbit@<sa-uuid>.log-*
Note:
- This procedure must be performed only once before upgrading to 12.1.1.0 Post-upgrade, the RabbitMQ service automatically handles the log rotation.
- The command rm -f rabbit\@<sa-uuid>.log.* is used to clean up the old uncompressed logs such as log.1, log.2, and log.3.
- The command rm -f rabbit\@<sa-uuid>_upgrade.log.* is used to clean up the old uncompressed upgrade logs.
- The command rm -f *.gz is used to clean up the old compressed logs.
- The command rm -f rabbit@<sa-uuid>.log-* is used to clean up the old uncompressed logs rotated with logrotate.
Task 3. Uninstall the Security Analytics l10n language pack
Before you upgrade from 11.6.x.x to 11.7.x.x or 12.1.1.0 version, you must uninstall the Security Analytics l10n language pack.
Task 4. Preparing ESA Deployments for Migration to 12.1.1.0
Before upgrading to 12.1.1.0, NetWitness recommends that all the ESA deployments maintain an error-free state and remove any unused ESA deployments, as ESA deployments will be migrated to policies and groups after upgrading to 12.1.1.0. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.1.x.x version.
Manage ESA Deployments and Data Sources
In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management. Go to (CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources. You can only manage the ESA Rules in the ESA Rules page. Refer the following screenshots.
Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events. You must upgrade the ESA hosts immediately after upgrading the Admin Server.
For more information on Centralized Content Management and managing the deployments, see https://community.netwitness.com/t5/rsa-netwitness-platform-staged/centralized-content-management-guide-for-12-1-1/ta-p/694426.
IMPORTANT: If there is any need to import ESA Rules and Enrichments. NetWitness recommends importing those missing rules and enrichments before the upgrade.
The pre-upgrade and post-upgrade states of deployments are represented in the following table.
SlNo | Pre-upgrade Deployment State | Post-upgrade Deployment State | ||
---|---|---|---|---|
Creates Policy | Creates Group | The policy will be Published | ||
1 | Healthy deployment |
Yes |
Yes |
Yes |
2 | Deployment with errors | Yes | Yes | Yes |
3 | Deployment with only rules |
Yes |
No |
No |
4 | Deployment with no rules | No | No | No |
Healthy deployment contains no errors, and the required resources such as ESA Server, Data source, and ESA rule are added.
Note: NetWitness recommends that all the deployments maintain an error-free state and also remove any unnecessary or unused ESA deployments.
Task 5. Backup Elasticsearch Data (Users, Entities, Alerts, and Indicators)
Before upgrading the UEBA host from 12.0.0.0 and older versions to 12.1.1.0, you must perform the backup of your Elasticsearch data such as Users, Entities, Alerts, and Indicators (using the Elasticsearch migration tool) to retain them post upgrade.
Prerequisites
Make sure the following prerequisites are met before you perform data backup:
-
The current Elasticsearch version must be 5.5.0.
-
Presidio rpms version must be less than or equal to 12.0.0.0.
-
ueba_es_migration_tool.zip file must be downloaded.
Note: ueba_es_migration_tool allows you to migrate presidio Elasticsearch data from Elasticsearch version 5.5.0 to 7.15.2 while upgrading the UEBA host to 12.1.1.0 from 12.0.0.0 and older versions. This tool contains elk-migration-script.sh script file and presidio-elk-migration-1.0.0.jar file and it can be downloaded from https://community.netwitness.com/t5/netwitness-platform-downloads/ueba-elasticsearch-migration-tool/ta-p/687496.
To backup the Elasticsearch data:
-
Select the available directory and unzip the ueba_es_migration_tool.zip file.
-
Go to cd ueba_es_migration_tool. Run the following command.
sh elk-migration-script.sh
The Elasticsearch migration tool guide is displayed.
-
Select Export documents from elasticsearch 5.5.0 and enter yes when prompted to stop the airflow scheduler.
Note: When you enter yes, the airflow scheduler stops consuming the fresh incoming data such as Users, Entities, and Alerts. This avoids data loss during the export process.
-
In the next step, select Fresh Export to export the existing data.
Note:
- If the Export operation fails due to some technical issue, select Resume Export once the issue is resolved, to resume the Export operation.
- Go to <backup_directory_path>/log/log/es-migration-export.log if you want to view the log for the succeeded or failed processes.
Task 6 (Optional). Disable STIG-based FIPS Kernel Controls
If you enabled STIG-based FIPS Kernel controls, you must disable them before initiating the NetWitness Platform XDR upgrade process to avoid boot errors. To disable STIG-based FIPS Kernel controls, run the following commands:
manage-stig-controls --disable-control-groups 3 --host-all
grub2-mkconfig -o /boot/grub2/grub.cfg
After you upgrade NetWitness Platform XDR, ensure that you enable STIG-based FIPS Kernel controls.
Note: STIG-based FIPS Kernel controls which require modifications to kernel boot options are not enabled by NetWitness Platform XDR out-of-the-box.
Task 7 (Optional). Verify Connection for Live Server
Go to admin/system/live services and do a test connection to verify if you are able to connect to the live server as this is essential for the source-server from 12.x and above. This is an optional step and applicable only for customers who have configured live.
Task 8. Remove ECAT Integration
Before you upgrade from 11.7 and older versions to 12.0, 12.1, or 12.1.x.x versions, you must manually delete the RSA Endpoint (ECAT Data Sources) from the Context Hub Server.
Warning: If you fail to remove the RSA Endpoint (ECAT Data Sources) from the Context Hub Server before upgrading from 11.7 and older versions to 12.0, 12.1, or 12.1.x.x versions, the Context Hub Server Config page ((Admin) > Services > select the ContextHub Server > View > Config) keeps loading post upgrade. As a result, you cannot access the Data Sources.
To delete the RSA Endpoint (ECAT Data Sources)
-
Go to (Admin) > Services and select the Context Hub Server.
-
Click and select View > Config.
The Config page is displayed.
-
In the Data Sources view, select the RSA Endpoint (ECAT Data Sources).
-
Click to delete the RSA Endpoint (ECAT Data Sources).